SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsIf you're reliant on your managed mode for your Chromebook fleet, you're going to need to monitor to make sure they remain enrolled until Google's patch can be deployed. Effectively, you boot from external media, run the code which both unenrolls the device and puts it in developer mode. If you're researching this behavior, make sure that you're using a valid shim, as some will brick the Chromebook. If you're creating a device that supports developer and managed modes, create two accounts before enrolling: first in developer mode, the second enrolled.
This exploit requires direct access to the ChromeBook. While that may be appealing for users of enrolled and managed ChromeBooks, it is likely a violation of enterprise IT security policies and violators would be held accountable. Physical access to devices (laptops, desktops, etc.) open up a number of potential new attack vectors that can be used by an adversary.
The Register
SC Magazine
The Hacker News
Bleeping Computer
Neowin
Not a lot of information out on this one – the important part is always *why* and *how* the attack succeeded. In the financial world, being forced to use slower manual trading/reconciliation processes can carry huge costs to customers and the financial organization hit swamps recovery costs.
The LockBit ransomware group is taking credit for this attack, threatening to leak data on Feb 4 unless the ransom demand is paid. Financial institutions using their services currently have to process trading and clearing of exchange-traded derivatives manually. The question is how long manual processing will be viable. When reviewing DR plans, this is something to contemplate and at least plan for a point where you need to move to a new automated system before the business impact is unacceptable.
This ransomware attack, while specific to financial trading systems, is a good reminder for every enterprise to revisit their SLA with third party software vendors. Reliance on third party vendors for products and services should be part of a company’s risk assessment; and mitigations such as switching to staff intensive processes regularly tested to counter impacts to business operations.
Electric Vehicle chargers are more than high power electric outlets. The cable connecting the car to the charger includes data lines to regulate charging and provide metering as well as payment information. It is more like a "very large USB-C" charger in how it combines data and power delivery. This provides an avenue to either attack the charger or the car. In addition, wireless networking may be used as well to interface with mobile devices for payment.
In 2021 USD 7.5B was allocated over five years to build out EV charging stations and last September the Biden administration launched a grant program to build charging networks along 75,000 miles of interstate highways. That means the focus is going to be on deployment before the money runs out rather than cyber security. While many states are working to require cyber security components as part of approving grants for EV charging stations, this still leaves existing or legacy installations possibly exempted. If providers don't resolve issues, expect a regulatory body, like NERC, to step in and require it. Regardless, if you're in the EV charging business, you want to make sure that you've got cyber security covered, before your hand is forced.
This announcement isn’t unexpected as the EV infrastructure continues to build out. Researchers in academia, private sector, and hacking circles will start fully testing the underlying protocols and vulnerabilities will be found. Unfortunately, speed to market often trumps adequate security testing of new technology. We’ve witnessed a similar parallel with vehicle automation. What’s important is that the industry move quickly to close this and other vulnerabilities, as they will be targeted by cybercriminals.
Oracle released the update in their October 2022 CPU; SugarCRM released their patch Jan 11, 2023. SugarCRM cloud services are already updated. Three weeks is not a lot of time for regression testing of ERP and CRM systems: you're going to need to not only build an aggressive schedule, but also management support for the resource hit. Even though the Oracle release was in October, be sure it wasn't postponed due to the fiscal year open/close. (Sept 30/Oct 1 for Federal Agencies.)
It is clear that the FBI Cyber Crimes Unit has adapted its tactics, techniques, and procedures to better support victims of cybercrime. In this instance, while successful, other cybercriminal gangs will learn from this change in tactics to increase their vetting procedures. As always, more work needs to be done to make enterprises more resilient against ransomware attacks.
The FBI is facing a balancing act. While their work gets them access to tools, like decryptors, that victims desperately need, releasing those tools can also compromise their investigation. The trend with the Hive takedown indicates they are actively working to release things sooner. My takeaway is to make sure that you've got a relationship with your local FBI office so you know who to call if you have an incident and need to leverage their resources.
National Laboratories have been a target since their inception, meaning they also have a lot of experience with detection, defense, monitoring and response. If you're the subject of a data call, such as this, don't take it personally: work to gather the requested information, then review it carefully with management before turning it over so they understand any implications. Do not fail to respond.
The Healthcare Sector was frequently targeted for ransomware attacks in 2022 and that trend is continuing into 2023. Organizations that make up this critical infrastructure sector can’t say they haven’t been warned that a ransomware attack is coming for you. I urge all organizations to use the recently published ‘Blueprint for Ransomware Defense’ as an action plan for ransomware mitigation, response, and recovery to protect against future attacks.
As the event is still under active investigation, Atlantic General is holding their cards close until they have definitive answers. In the meantime, they are operating under a combination of manual procedures and reduced capacity to minimize the overall impact on patients. While working to increase security, which the medical profession is doing, it's important to look beyond your top identified mitigations to make sure that you've not left unaddressed attack paths, e.g, MFA on the workstations, but leave accessible (unprotected) network jacks in the conference rooms.
Hospitals really need to isolate patient-facing applications from those, like e-mail and browsing, that are connected to the public networks.
Health IT Security
SC Magazine
If only new org charts and strategic plans could solve supply chain security issues. More info to buyer organizations is pretty low on the need list to improve supply chain security – more pressure on the suppliers is needed. In 2018 the Federal Acquisition Security Council (FASC) was created by the 2018 Federal Acquisition Supply Chain Security Act. In 2021, FASC issued rulemaking establishing authority to issue removal and exclusion orders if suppliers were found to be negligent. US procurement policy moved pretty quickly to remove/exclude Chinese suppliers of technology, but I can’t find any case of any actual action taken against the numerous suppliers that have had cybersecurity incidents. The US government needs to use its buying power to drive progress.
Beyond training for a consistent approach, having resources to share existing research would be helpful. Those databases would need to include context, and the hardest part, remain unclassified.
One might hope that holding suppliers accountable for shipping malicious code would be an obvious place to start. At some point we must address the software quality problem. We may be spending as much or more trying to eliminate vulnerabilities in software which the suppliers wrote themselves as we are eliminating malicious code that they shipped but did not write.
Federal News Network
The flaw only applies to the product with the native docker status; if your device has Dockerd running, it's not vulnerable. There really isn't a viable workaround other than disabling the IOx application hosting service entirely, unlikely a viable option. Cisco's updates are free, check their release notes for the versions relating to your affected products.
F5 has released an engineering hotfix, available from their downloads site. Before deploying the hotfix, read and understand the caveats relating to how to return to a mainstream of F5 BIG-IP (See their KB55025573: Engineering hotfix installation overview) Alternately there is a workaround which limits the iControl SOAP message traffic, but this will prevent adding new devices to a device trust.
Rotating Packet Captures with pfSense
https://isc.sans.edu/diary/Rotating+Packet+Captures+with+pfSense/29500
Detecting Malicious OneNote Files
https://isc.sans.edu/diary/Detecting+Malicious+OneNote+Files/29494
DShield Honeypot Setup with pfSense
https://isc.sans.edu/diary/DShield+Honeypot+Setup+with+pfSense/29490
BEC Group Incorporates Secondary Impersonated Personas
https://intelligence.abnormalsecurity.com/blog/firebrick-ostrich-third-party-reconnaissance-attacks
MalVirt .Net Virtualization Thrives in Malvertising Attacks
https://www.sentinelone.com/labs/malvirt-net-virtualization-thrives-in-malvertising-attacks/
Cisco Remote Code Execution with Persistence
Microsoft Defender Device Isolation for Linux
SH1MMER Exploit for Chromebooks (new domain)
https://thehackernews.com/2023/02/new-sh1mmer-exploit-for-chromebook.html
DOMPDF SVG Parsing Vulnerability
https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg
Threat Actors Abusing Microsoft's "Verified Publisher" Status
PoS Malware Can Block Contactless Payments
Detecting Files Exempt from Anti Malware Scans
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Browse ArchiveFree technical content sponsored by SANSHave you completed the SANS 2023 Visibility and Attack Surface Survey?
Tune in for A Leader's Guide to Security Operations: Improve Productivity with Threat Intelligence and Automation on February 14th at 1:00pm ET | We will candidly discuss digital transformation, SOC automation and tactical security operations.
Save your seat for the 2023 Ransomware and Malware Survey half-day event on March 1st at 10:30am ET!
Upcoming webcast on February 21st at 1:00pm ET | How to Build a Risk Register That Accounts for Internal and External Risk | Register now: https://www.sans.org/info/225195